Microsoft Launches $100k Bug Bounty Program 68
Trailrunner7 writes "After years of saying that the company didn't need a bug bounty program, Microsoft is starting one. The company today will announce the start of a new program that will pay security researchers up to $100,000 for serious vulnerabilities and as much as $50,000 for new defensive techniques that help protect against those flaws. Microsoft security officials say that the program has been a long time in development, and the factor that made this the right time to launch is the recent rise of vulnerability brokers. Up until quite recently, most of the researchers who found bugs in Microsoft products reported them directly to the company. That's no longer the case. The system that Microsoft is kicking off on June 26 will pay researchers $100,000 for a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows."
Re:Bugs in Windows? Unthinkable! (Score:4, Interesting)
I kind of agree.
However there are some things that will make this nearly impossible to claim even if you manage to find something.
It needs to be new, which means something they didn't know about.
However, they don't need to tell anyone when they learn about something new, which opens a perfect hole for them to say "Oh that one, we knew about that one" even if they didn't.
The line "a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows" is also important. Because if gives them another way out of paying for it. "Oh you are using Windows 8 with security patch 8.12.235321, but we are about to release security patch 8.12.235322 which has already fixed that - so you weren't on the latest version."
These are old tricks, which I have seen used by companies for other things where there is supposedly a reward.